[IS&T Security-FYI] SFYI Newsletter, September 12, 2011
Monique Yeaton
myeaton at MIT.EDU
Mon Sep 12 15:42:07 EDT 2011
In this issue:
1. Apache Denial-of-Service Update
2. DigiNotar Certificates Threat Averted by Vendors
3. Safer Browsing With Extensions
=============================
1. Apache Denial-of-Service Update
=============================
In the last Security FYI issue, we included a warning about the Apache webserver DoS (denial of service) attack vulnerability, in which a relatively low number of requests directed at the server cause a denial of service condition. After this warning went out, Red Hat released their patched Apache packages for RHEL 4, 5 and 6 on September 1.
Red Hat security update: <https://rhn.redhat.com/errata/RHSA-2011-1245.html<https://rhn.redhat.com/errata/RHSA-2011-1245.html%3E>>
=========================================
2. DigiNotar Certificates Threat Averted by Vendors
=========================================
Trust problems were caused when DigiNotar, a Dutch certificate authority, released fraudulent SSL certificates two weeks ago. All major operating system (OS) vendors and browser developers have since released updates revoking the DigiNotar certificate.
Mozilla has released Firefox 3.6.22 and Firefox 6.0.2 to address this issue. Additional information can be found in the Mozilla Security Blog<http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/>.
Microsoft has removed the DigiNotar root certificates from the Microsoft Certificate Trust List. This change affects all versions of Windows Vista, Windows 7, Windows XP, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2003. Additional information can be found in Microsoft Security Advisory 2607712<http://www.microsoft.com/technet/security/advisory/2607712.mspx?pubDate=2011-08-29>.
Google Chrome users are protected from this attack due to Chrome's built-in certificate pinning feature. Google has also released Chrome 13.0.782.220 for Windows, Mac, Linux, and Chrome Frame to address this issue. Additional information can be found in the Google Security Blog<http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html> and in the Google Chrome Releases blog entry<http://googlechromereleases.blogspot.com/2011/09/stable-channel-update.html>.
Apple has released Security Update 2011-005<http://support.apple.com/kb/HT4920> for Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion 10.7.1, and Lion Server 10.7.1 to address this issue.
Adobe will be releasing an update to remove the DigiNotar certificate from the Adobe Approved Trust List. In the meantime, Adobe has released a blog entry<http://blogs.adobe.com/psirt/2011/09/update-on-diginotar-and-the-adobe-approved-trust-list-aatl.html> containing a work-around for Adobe Reader and Acrobat 9, and Adobe Reader and Acrobat X.
===========================
3. Safer Browsing With Extensions
===========================
Did you know that you can make your browser even more secure by installing extensions? Let's take Firefox as an example and look at some Firefox add-ons that are designed to protect you when browsing the Web:
* Want to prevent ads from appearing on the sites you visit and that could potentially take you to more dangerous sites? Install Adblock Plus.
* Need protection against JavaScript, Java and other executable content that could cause cross-site scripting attacks (XSS), cross-zone DNS rebinding / CSRF attacks (router hacking) and Clickjacking attempts? Install NoScript.
* Would you like to know which sites to trust? Install WOT.
* Want to know in which country the webserver resides that you're connected to? Install Flagfox.
* Want to preview sites before you click on their links? Install CoolPreviews.
* Ever wonder if you're being tracked by Google, eBay or YouTube and want to block them? Install BetterPrivacy or Ghostery.
Find out more about Firefox extensions here: <https://addons.mozilla.org/en-US/firefox/extensions/><https://addons.mozilla.org/en-US/firefox/extensions/%3E>
Chrome extensions: <https://chrome.google.com/extensions>
Safari extensions: <https://extensions.apple.com/>
IE extensions: <http://www.ieaddons.com/en/>
===================================================================================
Read all Security FYI Newsletter articles and submit comments online at http://securityfyi.wordpress.com/.
===================================================================================
Monique Yeaton
IT Security Communications Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20110912/e9300cc4/attachment.htm
More information about the ist-security-fyi
mailing list